I've gone ahead and moved [4] to the "Recommended Practices" section.
The ballot to modify the BRs is now in the formal discussion period leading up to a vote [5]. I'll be resolving the existing compliance bugs on this issue as INVALID. I'd like to thank the CAs that proactively submitted incident reports rather than taking a "wait and see" approach. That degree of transparency is both appreciated and encouraged. - Wayne [5] https://cabforum.org/pipermail/servercert-wg/2019-October/001145.html On Wed, Oct 2, 2019 at 2:20 AM Rob Stradling <r...@sectigo.com> wrote: > On 02/10/2019 00:51, Wayne Thayer wrote: > > On Tue, Oct 1, 2019 at 3:34 AM Rob Stradling wrote: > > > > I propose that you update [4] to say that Mozilla won't treat > > non-compliance with [4] as an "incident" whilst it remains the case > > that the BRs are inconsistent with [4]. > > > > I could simply move [4] to a "recommended practice" (SHOULD) until the > > ballot comes into force, then move it back to "required". That implies > > that the bugs which have been opened for this specific issue (responding > > "unknown" - not to be confused with "returns 1 byte") will be closed as > > INVALID. > > > > Are there strong objections to this course of action? > > It seems a bit strange to recommend a practice that CAs cannot currently > adhere to without violating the BRs and some other root programs' > policies, but at the same time it is helpful to signpost upcoming policy > changes. > > I don't object strongly. > > > - Wayne > > > > [4] > > > https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Precertificates > > -- > Rob Stradling > Senior Research & Development Scientist > Sectigo Limited > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
